[pfx] Re: Opening up port 465

Fri, 08 Nov 2024 07:32:21 -0800 

Hello,


Nope. smtps (port 465) and submissions (port 587) are two separated services 
defined in master.cf. Their use will not affect each other.


"smtps" is the old name for "submissions" and both refer to 465. "submission" (without 
the "s" on the end) is port 587.

Find the "smtps" or "submissions" section in your master.cf file and uncomment 
it, then stop and start postfix.



Did that, and now I get something in the logs:

2024-11-08T16:14:09.034570+01:00 mail postfix/submissions/smtpd[107564]: 
connect from unknown[192.168.1.1]
2024-11-08T16:14:09.040936+01:00 mail postfix/submissions/smtpd[107564]: 
SSL_accept error from unknown[192.168.1.1]: -1
2024-11-08T16:14:09.042051+01:00 mail postfix/submissions/smtpd[107564]: 
warning: TLS library problem: error:0A0000C1:SSL routines::no shared 
cipher:../ssl/statem/statem_srvr.c:2220:
2024-11-08T16:14:09.043133+01:00 mail postfix/submissions/smtpd[107564]: lost 
connection after CONNECT from unknown[192.168.1.1]
2024-11-08T16:14:09.043723+01:00 mail postfix/submissions/smtpd[107564]: 
disconnect from unknown[192.168.1.1] commands=0/0

Can anyone tell me what this means?


IMO it shows that 192.168.1.1 is trying to connect to your submission smtpd 
with a SSL cipher that is not compatible with your postfix allowed/configured 
set of ciphers.

E.g. I have in my main.cf

smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
#smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_protocols = >=TLSv1.2
smtpd_tls_mandatory_ciphers = high
tls_high_cipherlist = 
EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, 
EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, KRB5-DES, CBC3-SHA

and have lots of such reports like yours above over the day. Nothing that I 
really care about.

What what is interesting is that apparently 192.168.1.1 is an internal network, 
so you better check on the configuration of that machine regarding what ciphers 
and such it uses or what ciphers YOUR installation of postfix can offer.

https://www.postfix.org/TLS_README.html#server_cipher

Maybe this pointer helps?

Florian

_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org






















					Reply via email to